Description
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue.
Published: 2026-03-27
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Full Application Compromise
Action: Immediate Patch
AI Analysis

Impact

MyTube contains an improper access control flaw that permits an attacker with low‑privilege authentication to upload and replace the entire SQLite database via the /api/settings/import-database endpoint. By doing so, the attacker can modify or delete all stored data, effectively gaining complete control over the application. The weakness manifests as improper authorization and privilege escalation, allowing the attacker to bypass intended restrictions and execute arbitrary operations against the application’s data layer.

Affected Systems

The vulnerability affects the MyTube self‑hosted downloader and player. All releases prior to version 1.8.69 are affected by the authorization bypass. Version 1.8.69 and later contain the fix that removes the privilege escalation path.

Risk and Exploitability

The CVSS score of 7.4 indicates a high severity, while the EPSS score of less than 1% suggests a low current likelihood of exploitation. The attacker requires only authenticated, low‑privilege access and the ability to send a POST request to the vulnerable endpoint; no special conditions beyond that are described.

Generated by OpenCVE AI on April 1, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MyTube to version 1.8.69 or later to eliminate the authorization bypass.

Generated by OpenCVE AI on April 1, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:franklioxygen:mytube:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Franklioxygen
Franklioxygen mytube
Vendors & Products Franklioxygen
Franklioxygen mytube

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue.
Title MyTube has an Improper Access Control that Allows Complete Application Takeover
Weaknesses CWE-285
CWE-639
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Franklioxygen Mytube
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T13:50:13.478Z

Reserved: 2026-03-23T17:34:57.561Z

Link: CVE-2026-33735

cve-icon Vulnrichment

Updated: 2026-03-27T13:19:48.727Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T01:16:20.840

Modified: 2026-03-31T19:02:38.313

Link: CVE-2026-33735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:51Z

Weaknesses